GDPR is all about data privacy. There are a number of drivers for privacy, of which the GDPR is just one. You need to get this right to protect your reputation with key stakeholders (eg press, consumers, customers, suppliers, vendors), and doing that can lead to new business opportunities for you.
But it’s not easy. There are some challenges. Data is growing, it’s mobile, it’s stored in places you might not know about (the cloud) and also no-one owns it in your organisations. In parallel, data is valuable so at risk of theft by people both within and outside your organisation. Symantec's ISTR research shows that 49% of data breaches are as a result of an external threat. So you need to look holistically at the issue.
4. Not all Organisations have the same level of Consumer
Trust for Securing Data
4
https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf.
69%
66%
45%
22% 20%
10%
Hospitals / medical services Banks Government Technology companies (i.e.
Google, Microsoft)
Retailers (Including online
shops)
Social media sites (i.e.
Facebook, Twitter)
Organisations whose business
models are based on data (tech
companies and social media
companies) appear less trusted to
keep customer data completely
secure
Data Trust
Chain
Building Trust – Best Practices for Protecting Data in the Cloud
16. Starting Questions for the GDPR
Do you know what personal data you process? Yes No
Do you know where it is and how it flows in the
organisation?
Yes No
Do you consider privacy at every level? Yes No
Do you think user / data subject first in security? Yes No
Have you reviewed your information risk management
process for data privacy?
Yes No
Have you reviewed your security controls against privacy
requirements?
Yes No
Do you have robust detection and monitoring processes? Yes No
Have you tested and implemented your response plans
including notification and external communication?
Yes No
If you answered No to any of these then you need to
start planning for the GDPR
19. 1000
800
600
400
200
0
Data Protection is a Tool for Risk Reduction
Risk Reduction Over Time
IncidentsPerWeek
Visibility
Remediation
Notification
Prevention
19
EU General Data Protection Regulation
20. What Good Data Governance brings to a company
Reduce Costs
Business Value from
your Information
Be Agile and
Innovative
Control Your DataKnow Your Data Agility
20
EU General Data Protection Regulation
Mobile/BYOD/IoT Endpoints
21. Reducing Risk from Preparation to Response
PREPARE PROTECT DETECT RESPOND
Understand personal data &
risk posture
Protect personal data from
malicious attack & misuse
Provide rapid detection
Understand impact of breach
Respond efficiently &
effectively to be compliant
Mitigate risk
Data Discovery and Privacy
Impact Assessments
Data Loss Prevention
Risk Posture Assessment
and Remediation
Control Compliance Suite / Endpoint
Management
Information Protection and
Governance
Data Loss Prevention / Encryption /
Authentication
Threat Protection
SEP / DCS / ATP / Email Security / Web Security
Monitoring, Threat
Intelligence and Cyber
Expertise
Cyber Security Services
Advanced Persistent Threat
Detection
ATP / Unified Analytics
Crisis Management and
Incident Response
Cyber Security Services
Cyber Insurance
Unified Analytics
Cloud Data Risk Posture
Assessment
Elastica
Data Encryption & Tokenization
ProxySG, Cloud Data Protection
Advanced Persistent Threat
Detection
SSL Visibility, CAS/MA, Security
Analytics
Incident Response and
Network Forensics
Security Analytics
Intended audience: enable sales to then talk to customers
Strong data governance and information risk management is no longer a choice. The EU’s recent approval of the GDPR (General Data Protection Regulation) means there are tangible implications for businesses that do not comply with data privacy regulations.
Information is now one of our most valuable assets and managing it well will provide a competitive advantage just as poor practices will lead to a negative brand reputation and business impact. Establishing a trusted reputation for data governance and data privacy will become increasingly important to businesses leaders. They will need to show that they make responsible use of personal data in their business and protect it from exploit or attack.
Our lives are accelerating, party due to the ubiquitous use of mobile devices and the connected nature of the Internet of Things. Digital transformation doesn’t just increase the need for data privacy due to the creation of more data but also the challenge of protecting that data.
The Symantec market leading Information Protection solutions help you locate and secure personal data so you know where your data is. Our Threat Protection solutions can prevent and detect the prevalent malicious attacks targeting sensitive data. Knowing where your data is and how to protect it will go a long way to help business achieve compliance.
GDPR is all about data privacy. There are a number of drivers for privacy, of which the GDPR is just one. You need to get this right to protect your reputation with key stakeholders (eg press, consumers, customers, suppliers, vendors), and doing that can lead to new business opportunities for you.
But it’s not easy. There are some challenges. Data is growing, it’s mobile, it’s stored in places you might not know about (the cloud) and also no-one owns it in your organisations. In parallel, data is valuable so at risk of theft by people both within and outside your organisation. Our ISTR research shows that 49% of data breaches are as a result of an external threat. So you need to look holistically at the issue.
I said privacy is important to customers, let’s look at some research behind that.
------------------
If your business involves personal data then privacy needs to be at the core of your business in order to be successful. Historically, businesses have not always focused on privacy in the way that they should. However, increasingly if you don’t prioritise privacy it will impact your chances of success. There has been a framework and regulation around since the 1950s. Although privacy is a business issue, it’s also an emotive issue that can create an instinctive reaction in consumers.
In countries like France and Germany privacy of their personal data is culturally important and failing to look after it can directly affect business. With the increase in breaches, the press headlines that brings and the impact of business reputation protecting the personal data of customers and employees has never been more important. However, we’re working in a world where there are inhibitors to that drive. We haven’t taken ownership of the data we have and it’s growing more as we adopt new technology such as IoT. We need to take ownership for our data and ensure that we protect privacy.
The GDPR is an evolution not a revolution of the existing privacy framework to deal with the inhibitors to privacy whilst protecting EU citizens and residents from abuses which could arise.
This makes IT security and risk management, protecting data whilst enabling the increasingly connected and digital part of the world. IT has never been more relevant to business.
Under GDPR, the “drive for privacy” come first and foremost from:
- the idea of privacy being a fundamental right (you can’t fool around with it or take it lightly)
- the Accountability principle (you need to prove you do the right thing across the board)
- the Privacy by Design principle (you need to build all your products in a certain way)
- the Privacy by Default principle (you can only bring your products to market in a certain way)
And only then can we go into technicalities like the security and breach notice components, or international data transfers for that matter.
Our State of Privacy report shows that privacy is the most important factor when customers use products and services from an organisation. So you need to be able to both provide data security and demonstrate this to be successful.
------------------------------
Individuals care about privacy. Getting this right is essential to the success of the business.
Getting privacy right will be a competitive advantage for a business, so it’s not just about complying with the regulation, a good privacy focus can provide a real competitive advantage to a business.
This will also pass down through the supply chain. Even if your business doesn’t directly consume customer data a good privacy posture will be important in successfully fulfilling contracts with other companies.
In the next few slides, lets look deeper at the GDPR, and cover:
How it came about
Timeline and next steps
Scope
High level requirements
Key points
The regulation is designed to harmonise data privacy legislation and have 1 common regulation across all 28 member states.
This will provide a level playing field, but each country may start from a different place. Depending on the gap between the member state’s current implementation of the Directive and the Regulation there may be varying impact in different countries.
The regulation was approved in April 2016 and will take force in 2018. Organisations need to prepare to comply.
There is a difference between a Directive and a Regulation.
Directive – Up to each country how they achieve the goal
Regulation – Must be adopted in its entirety across the EU
The GDPR covers these 4 important points, underpinned by the need to protect during the lifecycle. There are more elements than this but these 4 points will have the greatest impact on organisations.
It defines what is personal data (see earlier)
It explains when you have, or how you seek legal permission for processing data (eg ABC News asking readers to sign up for a newsletter, or collecting information on IP address for geographical analysis)
Privacy needs to be embedded in the organisation (eg. ABC News has to think about the privacy of their subscribers whenever they develop new services)
Data needs to be secured. (eg ABC News needs to implement controls to protect the personal data they store to prevent it being lost or stolen)
-------------------
We just said GDPR is underpinned by the lifecycle. Let’s look at the data governance lifecycle.
Start with Collect:
Do I have the right to collect data
Process – what permission do I have. Remember this is specific, so I may need new permission to process data in a new way (eg ABC News collects data to send newsletter, they can’t automatically use that data to market a new event or publication)
Retain and Secure – how you store data, for how long and the holistic steps you take to secure it
Management – how you put the principles and policies relating to the cycle into practice. I.E. Do you have the processes in place and the mechanisms for the data subject to access their records and to change this including amending data records and requesting the deletion of records (right to be forgotten)
What this mean for an organisation. We see four focus areas. Let’s look at each one in turn
-----------------
Maybe this about the “business value from your information” point: It is very important to stress that GDPR is not something meant to prevent a company from building value from data, it is something that defines the rules of how you can build business value. If you do it by the rules, you will create sustainable value. If you don’t, you will be at risk of losing it all, and even much more.
Starts with the DPO.
Let’s look again at ABC Media.
The DPO needs to demonstrate compliance. This needs to cover:
Privacy by design
PIA based on a risk approach (so frequency can vary). A Privacy Impact Assessment under GDPR needs to be done from the data subject’s perspective. It is supposed to evaluate the privacy risk to the individual and not the compliance risk to the company.
Developing appropriate policy, process and tech
Ensuring effective controls in place (that stand up to audit scrutiny)
So let’s think ABC Media. (reorder circles)
ABC Media decide to do a PIA and that identifies a need to Improve Security Req’s (circle 1)
There are 2 elements of improvement needed. First Protection and Access control (Encryption and ID Mgt) circle 2. This will help reduce the consequence (impact) of a breach (if I can prove it was encrypted, I don’t need to say what I lost).
They need to secure private data. There are exceptions in the law that makes “information security a legitimate interest” so people can use cybersecurity technologies to protect themselves and don’t need to ask the bad guys permission to store their data.
And also a need for fast and effective detection and response (circle 5) to meet ‘obligation to notify of a breach within 72 hrs’.
-------------------------
We hear from customers a number of misconceptions or concerns around what this means for storing and transferring data. Let’s look at some of the myths and the reality
The GDPR is not meant to prevent a company from building value from data, it is something that defines the rules of how you can build business value. If you do it by the rules, you will create sustainable value. If you don’t, you will be at risk of losing it all, and even much more.
The max penalties are 4% of the global annual turnover or 20 million Euro, whichever is greater.
Presence of national authorities makes enforcement more likely. The presence of EU coordinating mechanism makes enforcement on pan-european scale more likely
Fines will apply when a company isn’t seen to have put the appropriate protection in place.
- If you don’t put in place security, you expose yourself to penalties for non-compliance.
- If you suffer a breach in spite of your best efforts and you report it, and if you can demonstrate the best efforts you made, you will not expose yourself to sanctions.
- If you suffer a breach because of the lack of sufficient security, then you might be sanctioned, but again not because of the breach, but because of your failure to take adequate security measures.
- However if you suffer a breach and you don’t report it, then you do expose yourself to the higher levels of sanction because of the deliberate decision not to comply.
- And ultimately, you might think that reporting breaches is bad for your reputation, but you know what will be much much worse? Being caught in the act of trying to cover it up. And chances are you will be caught. And in that case, you’ll be under the heaviest sanctions permitted by the law.
As per earlier comments, align the boxes on this graph to the boxes in the previous two slides. Also move “demonstrate compliance” from being a sub-box under “Manage” to the central piece at the heart of the cycle, since the ability to demonstrate compliance with every aspect is at the essence of accountability.
Insurance can only help if you’ve done things right. They won’t pay out if you haven’t done the right thing.
Proactive not Reactive; Do not wait for privacy risks to materialize, or offer remedies for resolving privacy infractions once they have occurred — aim to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
Privacy as the Default Setting We can all be certain of one thing — the default rules! Privacy by Default seeks to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default.
Privacy Embedded into Design Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact.
Full Functionality —Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both. Implement cyber security solutions that don’t undermine the privacy of your customers or employees.
End-to-End Security — Protect information across it’s full lifecycle. Strong security measures are essential to privacy, from start to finish. This ensures that all data is securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
Visibility and Transparency — Keep it Open Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.
Respect for User Privacy — Keep it User-Centric Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric. This is the mindset that must govern Privacy Impact Assessments.
[FIRST EXPLAIN THE AXES]
I want to show you the stages of risk reduction over time and how it looks for customers.
At this point, you may be wondering: what’s the best way to get started with DLP? In working with our customers over the years, we’ve developed a proven methodology for measurably reducing their data loss risk. It’s made up of four key stages: visibility, remediation, notification, and prevention.
Visibility
One of the biggest challenges is gaining visibility into where data loss risk is. As mentioned earlier, broken business processes are a primary culprit of data loss. With our customizable reporting and dashboards, we can help you identify your exposed areas, broken business processes and high risk users through a single pane of glass. Other vendors stop here and dump a bunch of incidents on your desk. Once you have them, you need to aggregate and correlate them to understand where the broken business processes are that lead to the incidents in the first place.
During the baseline step, the goal is to gain visibility into what’s going on within your organization. Esurance, an online auto insurance company, is using Symantec DLP to protect hundreds of thousands of CCNs and SSNs. Their primary concern was mobile employees copying sensitive data from their laptops onto USBs and CD/DVDs. Using Symantec DLP, they were able to establish a baseline to understand what was going on and then see how claim reps were creating a lot of incidents, just to get their work done while on the road.
Our customers tell us that finding incidents is just the first step. The real work of fixing incidents is what really begins to successfully reduce the risk of data loss.
Remediation
Once you know what business processes are broken and who your top offenders are, you need to start remediation. Our customers have told us that 90% of DLP is about what you do after you find incidents. With Symantec DLP, you can set up custom workflow paths and remediation responses based on severity to make sure the right action is taken at the right time.
One of our customers is a large regional healthcare provider who has been using Symantec DLP since 2006. They have over 16,000 employees and 4,200 doctors across 7 hospitals. Their CIO and CISO made DLP a top priority because they needed to protect millions of patient and employee health information – including SSNs, CCNs and medical record numbers – and demonstrate compliance with HIPAA and PCI. They found that doctors were the biggest offenders – sending sensitive patient information to their webmail. As a result, they were able to target their security training and awareness programs and drove down their risk by 70%.
Notification
Notification is one of the single biggest contributors to reducing risk. By notifying employees right away to alert them of inappropriate use you can instantly educate them on security policies.
With Symantec DLP, one of our Fortune 100 insurance customers saw an 80% risk reduction in 20 days by turning on automated sender notification. Over 90% of their first time offenders did not have a repeat offense after they turned on real-time notifications. They changed employee behavior and, as a result, reduced the workload for their incident response team.
Prevention
With visibility, remediation, notification, you will whittle down the number of incidents. The last step in the methodology is prevention, which is stopping data from inappropriately leaving your network.
One of our Fortune 1000 customers saw a 97% risk reduction due to by fingerprinting every U.S. citizen’s SSN and PII. When a certain combination of SSn and other PII was detected, they blocked email and web communications. They quarantined emails and exposed files; they routed messages to encryption gateway which automatically enforced their encryption policies. In summary they stopped data from leaving.
Conclusion
In summary, Symantec DLP can significantly reduce your company’s overall risk of data loss. We help security teams enable the business side by educating employees, fixing broken business processes, and supporting business activity to occur securely.
Business Value
Know where your information is and it’s healthy
You’re confident you have the right to use it
Build your brand for privacy with your customers
Reduce costs
Streamline operations for projects such as data migration, cloud storage, permissions clean-up etc.
Automate information processing and documentation
Be Agile
Be more informed about your information
Make better business decisions